Skillv1.0.32

ClawScan security

Agentshield Audit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 1, 2026, 1:37 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and network interactions are consistent with a local security-audit / trust-handshake tool: it runs 77 local tests, stores private keys locally, and only sends a sanitized summary (test_id, passed, category) to a remote API — but you should verify the endpoint and run the dry-run before submitting real data.
Guidance: High-level: this package appears coherent for its stated purpose (local security tests + certificate-based trust handshake), and the authors built a dry-run + whitelist sanitization to avoid leaking test payloads. Before installing or running in production: 1) Run the dry-run mode (python3 initiate_audit.py --auto --dry-run) and inspect the exact payload the tool would submit. 2) Verify you are using v1.0.32 or later (notes indicate v1.0.31 had a sanitization bug). 3) Confirm the API endpoint you will contact (AGENTSHIELD_API) — if you don't trust agentshield.live, override the env var or run only locally. 4) Review the code that reads local files and the private key path (~/.openclaw/workspace/.agentshield/) and ensure permissions are appropriate. 5) If you run automated (--yes/--auto) mode, only do so in sandboxed or pre-audited environments. 6) If you want stronger assurances, run the package in an isolated VM/container and inspect network traffic during a dry-run. These steps minimize risk and verify the implementation matches the privacy claims.
Findings: [ignore-previous-instructions] expected: The SKILL and attack-pattern files intentionally include prompt-injection strings (e.g., 'ignore previous instructions', 'jailbreak') because they are used as test vectors for prompt-injection detection. The static detector flagged them, which is expected for an audit tool. [unicode-control-chars] expected: The code and example prompts include checks for zero-width/RTL control characters (unicode attack vectors). The presence of these patterns in tests/prompt examples is expected and appropriate for an auditing suite. [dangerous-command-patterns] expected: agentshield_attack_patterns.json lists dangerous strings (e.g., 'rm -rf /', 'curl | bash') as attack payloads. Static scanners flag these, but this is deliberate as part of live attack simulations — expected for this tool. Do not run attack payloads against production systems.

Review Dimensions

Purpose & Capability: okThe name/description (AgentShield, trust layer + audits + handshake) align with the included scripts: audit runner, sanitizing API client, handshake/completion, key/cert handling, secret & supply-chain scanners. Network calls to a central API (agentshield.live) and local file/key access (~/.openclaw/workspace/.agentshield/) are expected for certificate issuance and handshake.
Instruction Scope: noteSKILL.md and the scripts instruct running local tests and optionally contacting the API. The docs explicitly describe human-in-the-loop consent before reading IDENTITY.md/SOUL.md and provide a --dry-run mode to preview payloads. The SKILL.md (and included example files) contains prompt-injection test strings and zero-width/unicode examples — these triggered static detectors but are legitimate test vectors for an auditing tool. Still: follow the recommended dry-run and consent flow before any real submission.
Install Mechanism: okThere is no remote installer; the package is a bundled Python toolset and SKILL.md instructs pip install -r requirements.txt (cryptography, requests). This is proportional to the task and does not fetch arbitrary code at runtime. No suspicious external download URLs were found in the provided manifest.
Credentials: noteThe skill declares no required credentials and only optional env vars (AGENTSHIELD_API, AGENT_NAME, OPENCLAW_AGENT_NAME). It reads local identity files and stores a private Ed25519 key locally (claimed mode 600). Those privileges are appropriate for generating/signing certificates, but they are sensitive: verify file paths/permissions and that you consent before the tool reads those files. The tool also performs network outbound to agentshield.live — expected, but verify the endpoint before sending data.
Persistence & Privilege: okalways:false and disable-model-invocation:false (normal). The skill stores keys and certificates in its own workspace directory and does not claim to modify other skills or system-wide agent settings. No 'always' or other elevated persistent privileges are requested.